Restricting PHP Function Calls from XSLT

A quick post from Christian Stocker shows you how to only allow certain PHP functions to be called from within PHP

I just committed a patch to the xsl-extension of PHP, which makes it possible to only allow certain PHP functions to be called from within PHP. While registerPHPFunctions is (IMHO) a cool and useful feature, it can be pretty dangerous if your XSLT stylesheets do not come from a totally trusted source. But now in PHP 5.1 you will be able to define, which functions are allowed, for example

$xsl->registerPHPFunctions(array("date","time"));

would allow only the date and time function. You can also define static methods like "MyClass::MyMethod". Calling the method multiple times will add those functions to the allowed list, not remove the old ones. And calling it without parameter just allows everything like in PHP 5.0. You can also give a string instead of an array, if you just want to add one function to the list.

And here's the patch against PHP_5_0, if you want to use it on the 5.0 branch.

For more information visit: http://blog.bitflux.ch/